Centralized Identification and Authentication System and Method

ABSTRACT

A method and system is provided by a Central-Entity, for identification and authorization of users over a communication network such as Internet. Central-Entity centralizes users personal and financial information in a secure environment in order to prevent the distribution of user&#39;s information in e-commerce. This information is then used to create digital identity for the users. The digital identity of each user is dynamic, non predictable and time dependable, because it is a combination of user name and a dynamic, non predictable and time dependable secure code that will be provided to the user for his identification. The user will provide his digital identity to an External-Entity such as merchant or service provider. The External-Entity is dependent on Central-Entity to identify the user based on the digital identity given by the user. The External-Entity forwards user&#39;s digital identity to the Central-Entity for identification and authentication of the user and the transaction. The identification and authentication system provided by the Central-Entity, determines whether the user is an authorized user by checking whether the digital identity provided by the user to the External-Entity, corresponds to the digital identity being held for the user by the authentication system. If they correspond, then the authentication system identifies the user as an authorized user, and sends an approval identification and authorization message to the External-Entity, otherwise the authentication system will not identify the user as an authorized user and sends a denial identification and authorization message to the External-Entity.

RELATED APPLICATIONS

This application is a Continuation of application Ser. No. 11/239,046,filed Sep. 30, 2005, with a priority of a U.S. provisional application60/615,603, filed Oct. 5, 2004, with the same inventors and assignee.This application is also a Continuation of another U.S. application Ser.No. 09/940,635, filed Aug. 29, 2001, and patented as U.S. Pat. No.7,356,837, on Apr. 8, 2008, titled “Centralized identification andauthentication system and method”, with the same inventors and assignee.Please note that the current application has the same exactspecification and Figures as those submitted with the originalapplication Ser. No. 09/940,635, filed Aug. 29, 2001.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a centralized identification andauthentication system and method for identifying an individual over acommunication network such as Internet, to increase security ine-commerce. More particularly a method and system for generation of adynamic, non-predictable and time dependent SecureCode for the purposeof positively identifying an individual.

2. Description of the Related Art

The increasing use of the Internet and the increase of businessesutilizing e-commerce have lead to a dramatic increase in customersreleasing confidential personal and financial information, in the formof social security numbers, names, addresses, credit card numbers andbank account numbers, to identify themselves. This will allow them toget access to the restricted web sites or electronically purchasedesired goods or services. Unfortunately this type of identification isnot only unsafe but also it is not a foot proof that the user is reallythe person he says he is. The effect of these increases is reflected inthe related art.

U.S. Pat. No. 5,732,137 issued to Aziz outlines a system and method forproviding remote user authentication in a public computer network suchas the Internet. More specifically, the system and method provides forremote authentication using a one-time password scheme having a secureout-of-band channel for initial password delivery.

U.S. Pat. No. 5,815,665 issued to Teper et al. outlines the use of asystem and method for enabling consumers to anonymously, securely andconveniently purchase on-line services from multiple service providersover a distributed network, such as the Internet. Specifically, atrusted third-party broker provides billing and security services forregistered service providers via an online brokering service,eliminating the need for the service providers to provide theseservices.

U.S. Pat. No. 5,991,408 issued to Pearson, et al. outlines a system andmethod for using a biometric element to create a secure identificationand verification system, and more specifically to an apparatus and amethod for creating a hard problem which has a representation of abiometric element as its solution.

Although each of the previous patents outline a valuable system andmethod, what is really needed is a system and method that offers digitalidentity to the users and allows them to participate in e-commercewithout worrying about the privacy and security. In addition to offeringsecurity and privacy to the users, the new system has to be simple forbusinesses to adopt and also doesn't require the financial institutionsto change their existing systems. Such a secure, flexible and scalablesystem and method would be of great value to the businesses that wouldlike to participate in today's electronic commerce.

None of the above inventions and patents, taken either singularly or incombination, is seen to describe the instant invention as claimed. Thusa centralized identification and authentication system and methodsolving the aforementioned problems is desired.

For convenience, the term “user” is used throughout to represent both atypical person consuming goods and services as well as a businessconsuming goods and services.

As used herein, a “Central-Entity” is any party that has user's personaland/or financial information, UserName, Password and generates dynamic,non-predictable and time dependable SecureCode for the user. Examples ofCentral-Entity are: banks, credit card issuing companies or anyintermediary service companies.

As also used herein, an “External-Entity” is any party offering goods orservices that users utilize by directly providing their UserName andSecureCode as digital identity. Such entity could be a merchant, serviceprovider or an online site. An “External-Entity” could also be an entitythat receives the user's digital identity indirectly from the userthrough another External-Entity, in order to authenticate the user, suchentity could be a bank or a credit card issuing company.

The term “UserName” is used herein to denote any alphanumeric name, id,login name or other identification phrase, which may be used by the“Central-Entity” to identify the user.

The term “Password” is used herein to denote any alphanumeric password,secret code, PIN, prose phrase or other code, which may be stored in thesystem to authenticate the user by the “Central-Entity”.

The term “SecureCode” is used herein to denote any dynamic,non-predictable and time dependent alphanumeric code, secret code, PINor other code, which may be broadcast to the user over a communicationnetwork, and may be used as part of a digital identity to identify auser as an authorized user.

The term “digital identity” is used herein to denote a combination ofuser's “SecureCode” and user's information such as “UserName”, which mayresult in a dynamic, non-predictable and time dependable digitalidentity that could be used to identify a user as an authorized user.

The term “financial information” is used herein to denote any creditcard and banking account information such as debit cards, savingsaccounts and checking accounts.

SUMMARY OF THE INVENTION

The invention relates to a system and method provided by aCentral-Entity for centralized identification and authentication ofusers and their transactions to increase security in e-commerce. Thesystem includes:

-   -   A Central-Entity: This entity centralizes users personal and        financial information in a secure environment in order to        prevent the distribution of user's information in e-commerce.        This information is then used to create digital identity for the        users. The users may use their digital identity to identify        themselves instead of providing their personal and financial        information to the External-Entities;    -   A plurality of users: A user represents both a typical person        consuming goods and services as well as a business consuming        goods and services, who needs to be identified in order to make        online purchases or to get access to the restricted web sites.        The user registers at the Central-Entity to receive his digital        identity, which is then provided to the External-Entity for        identification;    -   A plurality of External-Entities: An External-Entity is any        party offering goods or services in e-commerce and needs to        authenticate the users based on digital identity.

The user signs-up at the Central-Entity by providing his personal orfinancial information. The Central-Entity creates a new account withuser's personal or financial information and issues a unique UserNameand Password to the user. The user provides his Username and Password tothe Central-Entity for identification and authentication purposes whenaccessing the services provided by the Central-Entity. TheCentral-Entity also generates dynamic, non-predictable and timedependent SecureCode for the user per user's request and issues theSecureCode to the user. The Central-Entity maintains a copy of theSecureCode for identification and authentication of the user's digitalidentity. The user presents his UserName and SecureCode as digitalidentity to the External-Entity for identification. When anExternal-Entity receives the user's digital identity (UserName andSecureCode), the External-Entity will forward this information to theCentral-Entity to identify and authenticate the user. The Central-Entitywill validate the information and sends an approval or denial responseback to the External-Entity.

There are also communications networks for the user, the Central-Entityand the External-Entity to give and receive information between eachother.

This invention also relates to a system and method provided by aCentral-Entity for centralized identification and authentication ofusers to allow them access to restricted web sites using their digitalidentity, preferably without revealing confidential personal orfinancial information.

This invention further relates to a system and method provided by aCentral-Entity for centralized identification and authentication ofusers to allow them to purchase goods and services from anExternal-Entity using their digital identity, preferably withoutrevealing confidential personal or financial information.

Accordingly, it is a principal object of the invention to offer digitalidentity to the users for identification in e-commerce.

It is another object of the invention to centralize user's personal andfinancial information in a secure environment.

It is another object of the invention to prevent the user fromdistributing their personal and financial information.

It is a further object of the invention to keep merchants, serviceproviders, Internet sites and financial institutions satisfied bypositively identifying and authenticating the users.

It is another object of the invention to reduce fraud and increasesecurity for e-commerce.

It is another object of the invention to allow businesses to controlvisitor's access to their web sites.

It is another object of the invention to protect the customer fromgetting bills for goods and services that were not ordered.

It is another object of the invention to increase customers' trust andreduce customers' fear for e-commerce.

It is another object to decrease damages to the customers, merchants andfinancial institutions.

It is an object of the invention to provide improved elements andarrangements thereof for the purposes described which are inexpensive,dependable and fully effective in accomplishing its intended purposes.

These and other objects of the present invention will become readilyapparent upon further review of the following specification anddrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a high-level overview of a centralized identification andauthentication system and method according to the present invention.

FIG. 2 is a detailed overview of a centralized identification andauthentication system and method according to the present invention.

FIG. 3 is a block diagram of the registration of a customer utilizing acentralized identification and authentication system and methodaccording to the present invention.

FIG. 4 is a block diagram of the transaction of a customer utilizing acentralized identification and authentication system and methodaccording to the present invention.

FIG. 5 is a block diagram of a Central-Entity authorizing a userutilizing a centralized identification and authentication system andmethod according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Detailed descriptions of the preferred embodiment are provided herein.It is to be understood, however, that the present invention may beembodied in various forms. Therefore, specific details disclosed hereinare not to be interpreted as limiting, but rather as a basis for theclaims and as a representative basis for teaching one skilled in the artto employ the present invention in virtually any appropriately detailedsystem, structure or manner.

The invention relates to a system 1 and method 2 to identify andauthenticate the users and their transactions to increase security ine-commerce. FIG. 1 illustrates a system to positively identify the users10 in e-commerce based on digital identity.

The system 1 comprises a plurality of users 10, a plurality ofExternal-Entities 20 with goods and services that are desired by theusers 10 and a Central-Entity 30 providing a unique UserName andPassword to the users 10 and generating dynamic, non-predictable andtime dependent SecureCode for the users 10 per user's request. There arealso communication networks 50 for the user 10, the Central-Entity 30and the External-Entity 20 to give and receive information between eachother.

It would be desirable to develop a new system 1 and method 2 tocentralize user's personal and financial information in a secureenvironment and to offer digital identity to the users 10 in order toprovide privacy, increase security and reduce fraud in e-commerce.Ideally, a secure identification and authentication system 1 wouldidentify legitimate users 10 and unauthorized users 10. This wouldincrease the user's trust, which leads to more sales and cash flow forthe merchants/service providers.

The present invention relates to a system 1 and method 2 to support thisideal identification and authentication system. For identificationpurpose, a digital identity (a unique UserName and a dynamic,non-predictable and time dependent SecureCode) is used by the user 10 atthe time of ordering or at the time of accessing a restricted Internetsite. A series of steps describing the overall method are conductedbetween the users 10, the Central-Entity 30 and the External-Entity 20and are outlined in FIG. 3,4,5.

There are three distinct phases involved in using the centralizedidentification and authentication system FIG. 2, the first of whichbeing the registration phase, which is depicted in FIG. 3. During theregistration phase, the user 10 provides his personal or financialinformation to the Central-Entity 30. The user 10 registers at theCentral-Entity 30, 100, 104 and receives his account and logininformation such as UserName and Password 108. User 10 can access hisaccount at any time by accessing the Central-Entity's system using acommunication network 50 and logging into the system.

Next is the transaction phase, where the user 10 attempts to access arestricted web site or attempts to buy services or products 110, asillustrated in FIG. 4, through a standard interface provided by theExternal-Entity 20, similar to what exists today and selects digitalidentity as his identification and authorization or payment option. TheExternal-Entity 20 displays the access or purchase authorization formrequesting the user 10 to authenticate himself using his UserName andSecureCode as digital identity. The user 10 requests SecureCode from theCentral-Entity 30 by accessing his account over the communicationnetwork 50, 114. The Central-Entity 30 generates dynamic,non-predictable and time dependable SecureCode 118 for the user 10. TheCentral-Entity 30 maintains a copy of the SecureCode for identificationand authentication of the user 10 and issues the SecureCode to the user10. When the user 10 receives the SecureCode 120, the user 10 provideshis UserName and SecureCode as digital identity to the External-Entity20, 124, FIG. 4.

The third phase is identification and authorization phase. Once the user10 provides his digital identity to the External-Entity 20, theExternal-Entity 20 forwards user's digital identity along with theidentification and authentication request to the Central-Entity 30, 130,as illustrated in FIG. 5. When the Central-Entity 30 receives therequest containing the user's digital identity, the Central-Entity 30locates the user's digital identity (UserName and SecureCode) in thesystem 134 and compares it to the digital identity received from theExternal-Entity 20 to identify and validate the user 10, 138. TheCentral-Entity 30 generates a reply back to the External-Entity 20 via acommunication network 50 as a result of the comparison. If both digitalidentities match, the Central-Entity 30 will identify the user 10 andwill send an approval of the identification and authorization request tothe External-Entity 20, 140, otherwise will send a denial of theidentification and authorization request to the External-Entity 20, 150.The External-Entity 20 receives the approval or denial response in amatter of seconds. The External-Entity 20 might also display theidentification and authentication response to the user 10.

To use the digital identity feature, the Central-Entity 30 provides theauthorized user 10 the capability to obtain a dynamic, non-predictableand time dependable SecureCode. The user 10 will provide his UserNameand SecureCode as digital identity to the External-Entity 20 when thisinformation is required by the External-Entity 20 to identify the user10.

The Central-Entity 30 may add other information to the SecureCode beforesending it to the user 10, by algorithmically combining SecureCode withuser's information such as UserName. The generated SecureCode will haveall the information needed by the Central-Entity 30 to identify the user10. In this case the user will only need to provide his SecureCode asdigital identity to the External-Entity 20 for identification.

In the preferred embodiment, the user 10 uses the communication network50 to receive the SecureCode from the Central-Entity 30. The user 10submits the SecureCode in response to External-Entity's request 124. TheSecureCode is preferably implemented through the use of an indicator.This indicator has two states: “on” for valid and “off” for invalid.When the user 10 receives the SecureCode, the SecureCode is in “on” or“valid” state. The Central-Entity 30 may improve the level of securityby invalidating the SecureCode after it's use. This may increase thelevel of difficulty for unauthorized user. Two events may cause a validSecureCode to become invalid:

1. Timer event: This event occurs when the predefined time passes. Asmentioned above the SecureCode is time dependent.

2. Validation event: This event occurs when the SecureCode forwarded tothe Central-Entity 30 (as part of digital identity) corresponds to theuser's SecureCode held in the system. When this happens theCentral-Entity 30 will invalidate the SecureCode to prevent future useand sends an approval identification and authorization message to theExternal-Entity 20,140.

A valid digital identity corresponds to a valid SecureCode. When theSecureCode becomes invalid, the digital identity will also becomeinvalid.

While the invention has been described in connection with a preferredembodiment, it is not intended to limit the scope of the invention tothe particular form set forth, but on the contrary, it is intended tocover such alternatives, modifications, and equivalents as may beincluded within the spirit and scope of the invention as defined by theappended claims.

1. A method for authenticating a user in e-commerce for a transactionbased on a digital identity issued by a Central-Entity, the methodcomprising: a. the user communicates with an External-Entity andperforms a secure transaction with the External-Entity; b. theExternal-Entity requires the user to authenticate itself by providing avalid digital identity before executing the transaction; c. the userestablishes communication with the Central-Entity and submits a requestfor a dynamic SecureCode in response to the External-Entity'srequirement; d. the Central-Entity: i. dynamically generates a dynamicSecureCode for the user in response to the user request; ii.algorithmically combines said generated SecureCode with user-specificinformation before providing the SecureCode to the user; iii. maintainsa copy of said generated SecureCode; and iv. provides said generatedSecureCode to the user, e. the External-Entity receives a digitalidentity from the user, wherein the digital identity comprises aUserName and said generated SecureCode, and forwards said digitalidentity to the Central-Entity for authentication of the user; f. theCentral-Entity receives said digital identity, validates said digitalidentity based on said SecureCode maintained in its system, and ifvalid, then authenticates the user and sends an affirmation message tothe External-Entity; and g. upon receipt of an affirmation message fromthe Central-Entity, the External-Entity executes the transaction.
 2. Amethod as recited in claim 1, wherein said user has a pre-existingrelationship with the External-Entity.
 3. A method as recited in claim1, wherein said user has no pre-existing relationship with theExternal-Entity.
 4. A method as recited in claim 1, wherein saidExternal-Entity and said Central-Entity share a cryptographic algorithm.5. A method as recited in claim 1, wherein said External-Entity and saidCentral-Entity do not share any cryptographic algorithm.
 6. A method asrecited in claim 1, wherein said External-Entity and said Central-Entityare within the same organization.
 7. A method as recited in claim 1,wherein said External-Entity and said Central-Entity are the sameorganization.
 8. A method as recited in claim 7, wherein all thecommunications and transactions between said External-Entity and saidCentral-Entity are within said same organization.
 9. A method as recitedin claim 8, wherein said all the communications and transactions betweensaid External-Entity and said Central-Entity are transparent to saiduser and an outside observer.
 10. A method as recited in claim 8,wherein said all the communications and transactions between saidExternal-Entity and said Central-Entity are done within a same server.11. A method as recited in claim 8, wherein said all the communicationsand transactions between said External-Entity and said Central-Entityare done between two or more different servers.
 12. A method as recitedin claim 1, wherein said digital identity is based on a logicalcombination of the SecureCode and the user-specific information.
 13. Amethod as recited in claim 1, wherein said digital identity is based onthe SecureCode and the user-specific information.
 14. The method ofclaim 1, wherein the user-specific information comprises UserName. 15.The method of claim 14, wherein the UserName corresponds to aalphanumeric name, ID, login name, an identification phrase, accountnumber, phone number, IP address, hardware key, software key, or serialnumber.
 16. The method of claim 1, wherein the transaction correspondsto a financial transaction.
 17. The method of claim 1, wherein thetransaction corresponds to a non-financial transaction.
 18. The methodof claim 1, wherein the transaction corresponds to access to restrictedweb-site.
 19. The method of claim 1, wherein said communication is doneon a communication network including Internet, wireless, mobile network,satellite, or private network.
 20. The method of claim 1, wherein saidcommunication is done on a communication network including at least aserver and a client device.
 21. A system for authenticating a user ine-commerce for a transaction based on a digital identity issued by aCentral-Entity, the system comprising: a. the user in communication withan External-Entity and performs a secure transaction with theExternal-Entity; b. the External-Entity requires the user toauthenticate itself by providing a valid digital identity beforeexecuting the transaction; c. the user in communication with theCentral-Entity and with a request for a dynamic SecureCode in responseto the External-Entity's requirement; d. the Central-Entity adapted to:i. dynamically generate a dynamic SecureCode for the user in response tothe user request; ii. algorithmically combine said generated SecureCodewith user-specific information before providing the SecureCode to theuser; iii. maintain a copy of said generated SecureCode; and iv. providesaid SecureCode to the user, e. the External-Entity adapted to receive adigital identity from the user, wherein the digital identity comprises aUserName and said generated SecureCode, and to forward said digitalidentity to the Central-Entity to authenticate the user; f. theCentral-Entity further adapted to validate the received said digitalidentity based on said SecureCode maintained in its system, and ifvalid, then to authenticate the user, and send an affirmation message tothe External-Entity; and g. the External-Entity further adapted toexecute the transaction upon receipt of an affirmation message from theCentral-Entity.
 22. A system as recited in claim 21, wherein said userhas a pre-existing relationship with the External-Entity.
 23. A systemas recited in claim 21, wherein said user has no pre-existingrelationship with the External-Entity.
 24. A system as recited in claim21, wherein said External-Entity and said Central-Entity share acryptographic algorithm.
 25. A system as recited in claim 21, whereinsaid External-Entity and said Central-Entity do not share anycryptographic algorithm.
 26. A system as recited in claim 21, whereinsaid External-Entity and said Central-Entity are within the sameorganization.
 27. A system as recited in claim 21, wherein saidExternal-Entity and said Central-Entity are the same organization.
 28. Asystem as recited in claim 26, wherein all the communications andtransactions between said External-Entity and said Central-Entity arewithin said same organization.
 29. A system as recited in claim 28,wherein said all the communications and transactions between saidExternal-Entity and said Central-Entity are transparent to an outsideobserver and said user.
 30. A system as recited in claim 28, whereinsaid all the communications and transactions between saidExternal-Entity and said Central-Entity are done within a same server.31. A system as recited in claim 28, wherein said all the communicationsand transactions between said External-Entity and said Central-Entityare done between two or more different servers.
 32. A system as recitedin claim 21, wherein said digital identity is based on a logicalcombination of the SecureCode and the user-specific information.
 33. Asystem as recited in claim 21, wherein said digital identity is based onthe SecureCode and the user-specific information.
 34. The system ofclaim 21, wherein the user-specific information comprises UserName. 35.The system of claim 34, wherein the UserName corresponds to aalphanumeric name, ID, login name, identification phrase, accountnumber, phone number, IP address, hardware key, software key, or serialnumber.
 36. The system of claim 21, wherein the transaction correspondsto a financial transaction.
 37. The system of claim 21, wherein thetransaction corresponds to a non-financial transaction.
 38. The systemof claim 21, wherein the transaction corresponds to access to restrictedweb-site.
 39. The system of claim 21, wherein said communication is doneon a communication network including Internet, wireless, mobile network,satellite, or private network.
 40. The system of claim 21, wherein saidcommunication is done on a communication network including at least aserver and a client device.
 41. A method as recited in claim 4, whereinsaid External-Entity is using said shared cryptographic algorithm toauthenticate a user's identity based on said SecureCode.
 42. A method asrecited in claim 4, wherein said Central-Entity is using said sharedcryptographic algorithm to generate said SecureCode.
 43. A method asrecited in claim 4, wherein said Central-Entity is using said sharedcryptographic algorithm to authenticate a user's identity based on saidSecureCode.
 44. A method as recited in claim 1, wherein saidExternal-Entity and said Central-Entity are the same entity.
 45. Themethod as recited in claim 1, wherein said Central-Entity generatesSecureCode with dependence on at least a dynamic variable.
 46. Themethod as recited in claim 45, wherein said dynamic variable is time.47. The method as recited in claim 1, wherein said Central-Entitygenerates SecureCode with dependence on one or more alphanumeric values.48. The method as recited in claim 47, wherein said one or morealphanumeric values are one or more of the following: unique key, ID,login name, password, identification phrase, account number, phonenumber, IP address, Hardware key, software key or serial number.
 49. Themethod as recited in claim 47, wherein said one or more alphanumericvalues are seed values.
 50. The method as recited in claim 1, whereinsaid digital identity is a SecureCode.
 51. The method as recited inclaim 1, wherein said user communicates with said Central-Entity over acommunication network.
 52. The system as recited in claim 21, whereinsaid digital identity is a SecureCode.
 53. The method as recited inclaim 1, wherein said user communicates with said External-Entity over acommunication network.
 54. The system as recited in claim 21, whereinsaid user communicates with said Central-Entity over a communicationnetwork.
 55. The system as recited in claim 21, wherein said usercommunicates with said External-Entity over a communication network. 56.The method as recited in claim 1, wherein said request is generatedbased on a request event which is automatically generated from acomputer, server, or central entity.
 57. The method as recited in claim1, wherein said request is generated based on a request event which ismanually generated by an entity or person.
 58. The method as recited inclaim 1, wherein said request is generated based on a request event. 59.The method as recited in claim 58, wherein said request event ispressing a button.
 60. The method as recited in claim 58, wherein saidrequest event is a user's authentication request at saidExternal-Entity.
 61. The method as recited in claim 58, wherein saidrequest event is sending a message to said Central-Entity.
 62. Themethod as recited in claim 61, wherein said message is a text message.